user tried to logon outside his day of week or time of day restrictions

3221225584

C0000070

workstation restriction

3221225875

C0000193

account expiration

3221225585

C0000071

expired password

3221226020

C0000224

user is required to change password at next logon

3221226021

C0000225

evidently a bug in Windows and not a risk

Win2003

This event does not get logged by Windows Server 2003 despite MS documentation. It is replaced by 680 type Failure Audit.

In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID 680.